One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.

Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.

During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

These batteries just arent designed with the idea that people will mess with them, he said. What Im showing is that its possible to use them to do something really bad. According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference, he noted. If you have all this control, you can probably do it.

Another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.

"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

The state of security

In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.

"Now, they've made significant changes and it's going to be harder to exploit, he said, as noted by The Register.

It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus, said noted security consultant Dino Dai Zovi.

Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.

According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.

I'm on my second defective Apple Mac Book battery. It is in a middle 2008 polycarbonate 2.4 GHz Core 2 Duo model. The first one expanded so much that it pushed the track pad and some keys upward causing them to stick. The latest replacement decided it would not hold a charge more than one and a half hours for a while. Then it refused to hold a charge more than a few minutes.

This is from the batch that was recalled from Sony years ago. I assumed that they fixed the problem and stopped sending out defective ones. I assumed wrong.

Apple refused to replace the first one. So I reported it to the Consumer Products Safety Commission or whatever it is called. Only then did Apple contact me and offer to replace it. The replacement only worked for a few weeks before problems started. My laptop computer is not relegated to being a desktop computer.

Now that a software hack is about to be released into the world that could destroy more batteries, Apple had better prepare itself with some new batteries. What if such a hack or even a defect happens in the sealed batteries in the all aluminum models? That would be really bad.

seems like anyplace there is flash based firmware, there is a possibility that...well you know, someone could alter it. Which is kindof the whole idea in the first place.... you don't need an EEPROM burner to make changes nor physical access to the hardware.

I am not saying that there isn't a vulnerability, just that it isn't surprising that it exists.

Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference, he noted. If you have all this control, you can probably do it.

I'm pretty sure the explosions happened because the hardware was defective and not the software. They found extra metal shavings in one batch of batteries that reacted so I highly doubt adjusting the firmware would cause an explosion. However, being able to brick a battery is enough cause for concern.

Great.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.

I don’t think it’s as simple as him being a bad guy. Yes, he’s out for all those things, BUT his skills are genuine, and he’s doing good by finding real issues that can and should be fixed.

He’s doing the right thing, as long as he lets the vendor issue a patch before he goes public.

Oh... wait

In any case, it sounds fixable—but I’ll wait for Apple’s fix, not his! Especially if his home-brew fix bricks the firmware anyway, leaving Apple’s own patch unable to run, as well as any other Apple battery firmware updates in future! No, thanks.

Question: when he talks about the “potential” to install “malware,” does he really mean that the battery can access your file system? Or that just an implication he’s willing to imply by vague language, knowing it’s not the case? Or is it just something that’s been reported without his full details? I’m wondering if the reality isn’t that the theoretical “malware” could itself only affect the battery. Still annoying/destructive, if that’s the case, but it’s not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be “on your computer,” but that would be misleading. What’s the real situation?

As for the fire/explosion FUD... research a mechanism that could make such a thing happen by code alone. Until then, it’s just fearmongering. Great for anti-Apple headlines though! Let’s see if another “gate” springs up soon (Of course, other PC brands are probably just as vulnerable—but not as good for attention.)

I dont think its as simple as him being a bad guy. Yes, hes out for all those things, BUT his skills are genuine, and hes doing good by finding real issues that can and should be fixed.

Hes doing the right thing, as long as he lets the vendor issue a patch before he goes public.

Oh... wait

In any case, it sounds fixablebut Ill wait for Apples fix, not his! Especially if his home-brew fix bricks the firmware anyway, leaving Apples own patch unable to run, as well as any other Apple battery firmware updates in future! No, thanks.

Question: when he talks about the potential to install malware, does he really mean that the battery can access your file system? Or that just an implication hes willing to imply by vague language, knowing its not the case? Or is it just something thats been reported without his full details? Im wondering if the reality isnt that the theoretical malware could itself only affect the battery. Still annoying/destructive, if thats the case, but its not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be on your computer, but that would be misleading. Whats the real situation?

As for the fire/explosion FUD... research a mechanism that could make such a thing happen by code alone. Until then, its just fearmongering. Great for anti-Apple headlines though! Lets see if another gate springs up soon (Of course, other PC brands are probably just as vulnerablebut not as good for attention.)

Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.

But my question is, who would want to go to the effort to ruin my battery? What's in it for them? And how on earth could firmware in a battery inject malicious code BACK into the O.S.? I'll believe it only when I see a demo. Until then I'm flagging this statement as crazy conjecture.

Great.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.

If he didn't release his findings then he couldn't win competitions. If he didn't win competitions then he would have no reputation and then couldnt make money from being a known expert. If he can't make money from that then there's nothing to pay for him to find these things and pass the information onto Apple and others.

Obviously he's out for himself but so is everyone else. We all work to get paid, some of us enjoy are jobs, but it we wen't paid we wouldn't do them. At the same time he's still helping Apple make their products more secure.

Question: when he talks about the potential to install malware, does he really mean that the battery can access your file system? Or that just an implication hes willing to imply by vague language, knowing its not the case? Or is it just something thats been reported without his full details? Im wondering if the reality isnt that the theoretical malware could itself only affect the battery. Still annoying/destructive, if thats the case, but its not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be on your computer, but that would be misleading. Whats the real situation?

The battery circuit sends signals to the computer (firmware+OS), essentially its status. If there is a security hole (eg, a buffer overflow) in the OS code reading the battery's messages, the battery could potentially gain access to the filesystem.
I think it is highly unlikely, at best it might just corrupt part of the firmware or OS, bricking, handicapping or disrupting the functioning of the computer and the OS but not being able to execute any useful code for the malefactor.

The image in the article shows MacBook removable batteries. They appear to be similar to the MacBook battery that I replaced recently (in my MacBook 4,1). I used a 3rd party battery that was substantially less expensive than the Apple replacement battery. Now I have several questions...

1) Does the 3rd party battery have the same default password that the original battery had ?

2) Would the 3rd party battery take firmware updates sent out by Apple (assuming they cared about a 3 year old design at this point).

3) Is the default password something assigned by Apple or TI (I'm guessing the latter).

4) How does anyone know that these 3rd party batteries (the one I bought says 'agptek' on the box) are free of malware in the first place ?

A true White Hats doesn't release exploits to the public until the vendor has issued a patch. Miller is clearly a Grey Hat.

(and others...)

Perhaps you missed a couple of points in the story above:

1) Miller has not released the technical details of the vulnerability yet. Nobody could create an exploit using only the data that has been released so far. Apple and Texas Instruments still have an opportunity to release a patch before the details are released.

2) When Miller does release the technical details, he has announced that he will also be releasing his own tool to plug the vulnerability at the same time. (This tool is something of a blunt instrument, though: it replaces the battery's password with a random string so no future legitimate Apple updates for future stability and feature improvements will work after installing Miller's patch. This is a tradeoff that each hardware owner would have to consider.)

Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.

But my question is, who would want to go to the effort to ruin my battery? What's in it for them? And how on earth could firmware in a battery inject malicious code BACK into the O.S.? I'll believe it only when I see a demo. Until then I'm flagging this statement as crazy conjecture.

And, of course, for someone to install an exploit (even if it existed), they'd have to get access to your computer. If they have access to your computer, there are easier ways to install malware. Or they could simply steal the computer.

It's an interesting theoretical result. But until someone demonstrates a mechanism whereby the computer could be affected, it's purely theoretical.

It's no different than the situation with cars today. My car has a USB port where I can plug in my iPod. Many of the car's features are run by computers and all of them are connected in one way or another. So, in theory, it would be possible to have malware on my iPod that would cause the engine to shut down when I hit 60 mph. I'm not holding my breath, though.

"I'm way over my head when it comes to technical issues like this"Gatorguy 5/31/13

seems like anyplace there is flash based firmware, there is a possibility that...well you know, someone could alter it. Which is kindof the whole idea in the first place.... you don't need an EEPROM burner to make changes nor physical access to the hardware.

I am not saying that there isn't a vulnerability, just that it isn't surprising that it exists.

Maybe we need less intelligent hardware???

It's not all bad. The batteries recalibrate themselves as they gradually fade, so EEPROM might not be the best thing to do. Also, if they find an improved charging technique, they can release an update.

Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.

This is completely incorrect. There is NO way for a firmware failure to cause the kinds of hazards claimed here or by Mr. Miller. The agency certifications carried by Apple products (UL/CSA/IEC) require that those products be designed and tested to the applicable safety standards. In the case of a LiPo battery pack, the charging circuits must not cause undo stress to the batteries even in the presence of a single point fault. The cells themselves must be certified against the applicable bare battery safety standards.

The lab performing the safety test will analyze the pack's circuitry to identify those places where a circuit fault will cause the most stress to the cells and they will cause the a fault there. The resulting stress must remain with the cell's specified safe operating area.

As a result of these regulatory requirements, virtually all certified battery packs have double or triple redundancy in their charge/discharge safety circuits. A firmware failure would NOT pose a safety threat.

It is possible for a firmware hack to degrade pack life or render the battery gauge useless. I highly doubt that hacking the battery firmware would result in the installation of malware. Does anyone really think that Mac OS stores x86 code in the battery? It may be that X86 code could malfunction if the battery pack does not communicate properly, but the idea that a virus could be installed in the battery pack, then re-insert itself in MacOS after a virus sweep, is pure fantasy.

Unfortunately, the engineering of a product such as a Mac requires a great deal of specialized knowledge which neither Mr. Miller, the journalism community, nor the public at large possess. As a result, we get the sort of hyperbole of "antennagate" and now this.

And, of course, for someone to install an exploit (even if it existed), they'd have to get access to your computer. If they have access to your computer, there are easier ways to install malware. Or they could simply steal the computer.

or they could sell you a replacement battery, with the malware pre-installed. These are batteries, they will fail eventually, and would need to be replaced. Many of the purchasers may have moved along to more recent model laptops, but the old ones will still float around for a while.

So someone would need to install malware on my machine, which could then infect the firmware, which could then infect the OS... aside from it re-installing malware, how is that worse than just having malware in the first place?

Or maybe even more frightening, I'd have to install an infected battery in my laptop - when at least new models don't even HAVE swappable batteries. So Apple would need to install an infected battery. How scary!!! Not.

On other news, I just found a way to infect the Mac laptop touch pad. Are you all scared now?

1) Miller has not released the technical details of the vulnerability yet. Nobody could create an exploit using only the data that has been released so far. Apple and Texas Instruments still have an opportunity to release a patch before the details are released.

2) When Miller does release the technical details, he has announced that he will also be releasing his own tool to plug the vulnerability at the same time. (This tool is something of a blunt instrument, though: it replaces the battery's password with a random string so no future legitimate Apple updates for future stability and feature improvements will work after installing Miller's patch. This is a tradeoff that each hardware owner would have to consider.)

I didn't miss those things, they're just irrelevant. Number 1 is discountable because he's said when and where he's releasing it, which means he is prepared to do it before Apple and TI have patched it. Number 2 is irrelevant because his "solution", as you noted, simply replaces the password he's gotten a hold of with a random string rendering the firmware unmodifiable. That's not a cure, that's first aid. it's bad first aid too, because it renders the cure impossible to administer. Besides which, Miller knows the vast majority of affected users will not know or care to apply his solution anyway, whereas everyone who wants to exploit the flaw will be paying attention to his method. He's arming the attackers with a rifle and saying it's okay because he's handing the victims a caulk gun (A humorously appropriate metaphor) to defend themselves with.

"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

Sounds to me like this Caulk Gun is pretty much malware itself as messing with that password could cause your battery to malfunction particularly if the OS is updated and needs to know that password

Quote:

"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.

Translation: But this exploit is basically not a big deal cause Apple has improved the system security making it harder for me or anyone else to get to the firmware level to muck around.

Great.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.

The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.

The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.

Agreed. How the hell is it this guy's fault? Get the blinkers off. He's performing a service, if he was a sicko you would never have known about this, only a story of battery failure and bricked Macbooks.

One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.

So in essence it's a battery manufacturer exploit in conjunction with being installed in an Apple producte and not solely an Apply 'vunerability'? If so, why take an alarmist approach and denigrate Apple? And has the battery manufacturer been notified as well? Otherwise it is similar to putting the blame on a car manufacturer for using substandard tyres.

The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.

I'd blame the security guy for the wholesale manufacture of threats that don't exist. The battery cannot be made to catch fire or explode (as I explained earlier), nor is x86 code stored in/retrieved from the battery controller firmware. I do believe this is a case of Mr. Miller's ignorance and self interest getting the better of himself and a great many others.

Great.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.

To his credit, unlike most security researchers, he doesn't keep chasing the security problem down a rabbit hole and asserting each time something is fixed that there is still some horrible problem remaining. He also doesn't seem to be an absolutist and talks about "good enough" security at times.

He publicly stated a bunch of things he thought were wrong with OS-X's security and agitated for them to be fixed. When Apple fixed them one by one, he congratulated them one by on. Now they've fixed most everything he complained about... he is mostly not complaining anymore.

It's his job to point out these insecurities. Now he seems to be saying that OS-X is pretty secure at this point and he is switching to criticising the batteries. I don't see what the big problem is with this. You couldn't really ask the guy to be much more professional.

The image in the article shows MacBook removable batteries. They appear to be similar to the MacBook battery that I replaced recently (in my MacBook 4,1). I used a 3rd party battery that was substantially less expensive than the Apple replacement battery. Now I have several questions...

1) Does the 3rd party battery have the same default password that the original battery had ?

2) Would the 3rd party battery take firmware updates sent out by Apple (assuming they cared about a 3 year old design at this point).

3) Is the default password something assigned by Apple or TI (I'm guessing the latter).

4) How does anyone know that these 3rd party batteries (the one I bought says 'agptek' on the box) are free of malware in the first place ?

like I didn't have enough things to worry about already

If you have a third party fake Apple battery in your MacBook, that last thing you should worry about is being hacked by an exploit that at this point is just theoretical.

You should worry about being poisoned or burned by the battery, about the children that were probably forced to make it in some filthy sweatshop somewhere, and about the very real possibility that it will catch fire or explode at any moment. Seriously.

Or maybe even more frightening, I'd have to install an infected battery in my laptop - when at least new models don't even HAVE swappable batteries. So Apple would need to install an infected battery. How scary!!! Not.

Apple's component suppliers could sell them infected batteries, just like the iPod hard drives:

I'm on my second defective Apple Mac Book battery. It is in a middle 2008 polycarbonate 2.4 GHz Core 2 Duo model. The first one expanded so much that it pushed the track pad and some keys upward causing them to stick. The latest replacement decided it would not hold a charge more than one and a half hours for a while. Then it refused to hold a charge more than a few minutes.

This is from the batch that was recalled from Sony years ago. I assumed that they fixed the problem and stopped sending out defective ones. I assumed wrong.

Apple refused to replace the first one. So I reported it to the Consumer Products Safety Commission or whatever it is called. Only then did Apple contact me and offer to replace it. The replacement only worked for a few weeks before problems started. My laptop computer is not relegated to being a desktop computer.

Now that a software hack is about to be released into the world that could destroy more batteries, Apple had better prepare itself with some new batteries. What if such a hack or even a defect happens in the sealed batteries in the all aluminum models? That would be really bad.

I just flat out don't believe you here.

At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.

At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.

Futhermore, I've never had a problem with Apple replacing a bloated battery without question. Since it's a potential fire and explosion hazard, and they can ship these batteries back to the manufacturer for credit there is no harm in correcting this for the user.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"

At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.

If the serial number of the battery doesn't fall into the range noted by Apple as having a problem, this is exactly how they would behave, even if it was a manufacturing defect. We've seen time and time again that Apple refuses to fix different product defects until there is such a consumer and media uprising that they have no other choice.

As for batteries failing, I can attest it happens. My brother and I just pulled a battery out of a 2009 13" MacBook Pro today which had swelled to the point where the trackpad was pushed up past the top of the case. When we pulled it out of the case it had swelled to the point where it was a full 1/2 inch taller than it should have been. Apple absolutely refused to replace it without being paid $179. It was the original battery provided by Apple and was clearly defective.

Firmware controls when to allow the battery to charge and by how much. By hacking the firmware, one could leave the batteries on full charge when they are actually at 100% state of charge and can't take any more energy. Then you'll get heat and then venting of the electrolyte from the cells. Lithium Ion-based batteries are toxic to us humans and the vented gas is not only flammable, but corrosive and lethal.

This is a bad thing. If Apple has not responded after a few weeks or months, then he might as well release the info and force them to do something.

. . . have posted a warning that there is a vulnerability in Kohler toilets that could allow Al Queda to remotely detonate explosives planted in the tank. By installing their Caulk fix this problem is alleviated. However, you will lose the ability to flush.

Firmware controls when to allow the battery to charge and by how much. By hacking the firmware, one could leave the batteries on full charge when they are actually at 100% state of charge and can't take any more energy. Then you'll get heat and then venting of the electrolyte from the cells. Lithium Ion-based batteries are toxic to us humans and the vented gas is not only flammable, but corrosive and lethal.

This is a bad thing. If Apple has not responded after a few weeks or months, then he might as well release the info and force them to do something.

You have no idea what you are talking about. The charge control hardware in a LiPo system will not force the battery into a hazardous state even if the firmware is hacked. This is a regulated requirement for consumer products carrying US/CSA/IEC certification. If a LiPo battery were to vent, the gas would be hydrogen, which is non-toxic. You can float a LiPo cell at its rated full-charge voltage (4.2 or 4.3V depending on the chemistry) indefinitely with no harm.

Apple has no obligation to teach engineering to Mr. Miller, or to you.